api usage requires userpassword

The current api (v2) requires the usage of the user password (or just the md5 hash of the password) for signing requests. As I want to some webbased app I'd prefer not to have these in my environment. Instead I would like to see something like oauth where I get a user & app specific token to sign my requests with.

To completely redesign the api would be too much, I might have some suggestions/ideas where the impact could be minimised to achieve this.